E-signature and Documentum.......way to go...

What is E- Signature?

An electronic signature is defined as an electronic sound (e.g., audio files of a person's voice), symbol (e.g., a graphic representation of a person in JPEG file), or process (e.g., a procedure that conveys assent), attached to or logically associated with a record, and executed or adopted by a person with the intent to sign the record. An electronic signature is easy to implement, since something as simple as a typed name can serve as one. E- Signatures are implemented in Documentum by TCS (trusted content Services)

What are E signatures in Documentum Terms?

Trusted content Services (TCS) is the product that enables your Documentum Repository to apply E-Signature.

Following are the features of the TCS:

1.  Repository Encryption :

TCS enables the encryption of the filestore. The encrypted FileStore prevents the access of content from the Operating System. The content is exposed in Decrypted Form by Documentum DFC API.

As per EMC there will be 12% degradation in performance of Documentum Content Server. But there are substantial advantages also:

a. Content security even if OS security is compromised

b. Protection against rogue administrator

c. Secure storage/ backup

2.   Multi- Dimensional Access Control (MAC) :

In Documentum access to the content is controlled via ACLs. Using MAC access to the content can be based upon the group membership of the user even though the user is having Default permission.

3.   Digital Shredding

Even if the data is deleted from Operating system the magnetic traces of the content still exists on the physical storage medium. When content is deleted via digital shredding it automatically writes the data over the multiple times over the location to ensure that it cannot be recovered.

4.   E-Signature

TCS enables content stored in Documentum to be E-Signed. While E signing the content the Date time stamp, user name, and remarks are stored and displayed on the content.

Each signature contains hash-checksum which verifies the authencity of signed content. The act of signing can enforce justification codes that are compliant with FDA 21 CFR part 11 requirement.

In this blog i’m focused on enabling /using the Esignature in the workflows

  Sample workflow:

Description of sample workflow:

Esignature of the manual activities user/s

       1. Approve Document by First Authority

       2. Approve Document by second Authority

Will be applied at the automatic activities:

        1. Apply Esignature for user

        2. Apply E Signature for second Authority

If a user rejects at 2nd activity then Esignatures will be removed by “Remove Esignature” acitivity

To apply the esignature we need the user password and a remarks from the user. 

      1. We can make a process variable for password and ask the user to enter it there.

In this approach we need to create a password process variable for each manual/auto activity pair so that other users can’t see that . We can also create a process variable for the remarks/justification of the signature. Since there is no field called password (like in JSP) in workflow hence the password string will be visible.

 
             (sample inbox screen for an activity user in webtop )

      2. The other way is to make the Manual activity to be “signoff” when a user forwards we can to customize the signoff component to get the user password as save it in a process variable.

But still there is an issue as process variables are stored in documentum tables and hence can be used for other purposes like reporting etc. We need to clear out these fields once there usage is complete.

Let’s move to the DFC Api and see how we can apply or remove E-signature.

To apply Esignature e-signature to a document. Following method is provided by DFC api

addESignature(String userName, String password, String signatureJustification,

  String formatToSign, String hashAlgorithm, String preSignatureHash,

  String signatureMethodName, String applicationProperties,

  String passThroughArgument1, String passThroughArgument2)

throws DfException

Electronically sign an object. This method performs the following actions:

1. Verify that Trusted Content Services are enabled.

2. Authenticate the user using the password argument.

3. Verify that the document is checked-in.

4. Validate any pre-existing signatures.

5. Verify that preSignatureHash is valid.

A sample run of the same method:

doc.addESignature("dmadmin", "Hello123","just for testing123", "pdf", "SHA-1", "", "esign_pdf", "", "", "");

To verify the integrity of the signature following method is provided:

document.verifyESignature();

This method performs the following actions:

1. Verify that Trusted Content Services are enabled.

2. Verify that the object is signed.

3. Verify that the last addesignature audit record for this object is valid.

4. Verify that the signature hash in the audit record matches the object hash.

If any of the above method cannot verify e-signature or is unable to apply e-signature a DfException will be thrown.

Whenever an E-signature is applied to the document an audittrail entry is created for the Esignature event named like dm_addesignature...

After the invocation "addESignature" if esignatures are applied successfully then if any user edits the document the next invocation of "addESignature" or invocation of  "verifyESignature" will throw DfException.

As TCS will create a key of the document using SHA-1 algorithm and stores it in the audittrail table against the dm_addesignature.. event.  on executing any of the  above 2 methods next time , the signature are verified with key stored in  audittrail table.

     How to remove esignature from a document ?

To Reject /Remove the E-signature applied to the document. I used the following process:

1. Checkout the object at a defined location using IDFCheckout operation.

2. Using itext fetch the File object

3. Remove the first page from the document

Following is code snippet for step 2 &3 :

PdfReader reader = new PdfReader(filepath);

OutputStream fout = new FileOutputStream(finalpath);

//get the number of pages in the pdf

int pagesNumber = reader.getNumberOfPages();

Document document = new Document(PageSize.A4);

PdfWriter writer = PdfWriter.getInstance(document, fout);

document.open();

PdfContentByte cb = writer.getDirectContent();

// since need to remove the 1^st page of the document we //will get the pages starting //from the 2^nd page and save them inside a new document

for(int pages = 2; pages <= pagesNumber; pages++) {

document.newPage();

PdfImportedPage page = writer.getImportedPage(reader, pages);

if (pages == 2) {

PdfString title = new PdfString("Comments Added by the "+userName, "UTF-8");

PdfString content = new PdfString(annotationComment,"UTF-8");

float f1 = 10;

float f2 = 10;

float f3 = 120;

float f4 = 720;

PdfAnnotation ann = new PdfAnnotation(writer, f1, f2, f3,f4, title, content);

writer.addAnnotation(ann);

                                                             }

cb.addTemplate(page, 0, 0);

}

                  4. Checkin the document as the same version

5. Delete the audit trails of the document for events related to E-signature

Following query can be used to delete the signature :

delete dm_audittrail objects where audited_obj_id ='"+auditObjectId+"' and event_name like 'dm_addesignature%'

TCS uses a template which is the first page of an e-signed document. We can customize the document to some extend.

The document can be found inside following folder path in documentum :

/Integration/Esignature/Templates 

An admin user like dmadmin will have the access to it but this cabinet is hidden so we need to disable the hidden property of the cabinet to access the document from UI.

Once able to access the document customize according to your needs make a new version of the document.

To apply the Esignature, Documentum uses script named:

esign_pdf.ebs

It can found inside: \Documentum\product\6.5\bin

shortcomming of the above sample workflow :

The password being used for the signature needs to be saved in a process variable which can be a security concern.

To overcome this issue we can customize the Quickflow and signoff components of the Documentum web application and used quickflows but this restricts the flexibility of the workflow. I recommend this approach if the workflow is short involve only review approval tasks.

Otherwise, go with a custom workflow with a mix of customized signoff component.

Thanks ......